Tuesday, 25 November 2014

Economic globalization and digitization of information have revolutionized business and allowed for efficiency that was unimaginable a few decades ago. The ability to share information remotely means companies can coordinate with partners remotely, integrate suppliers, track shipments and communicate in real time with customers in distant markets. These trends represent a seismic shift in the way the world works.

But the shift has created new challenges and vulnerabilities that companies are only beginning to comprehend. The information that firms hold and exchange – including intellectual property, trade secrets and customer data – is rich with high value targets for criminal syndicates, governments, competitors, disgruntled insiders and hackers. Today’s business networks, which can include a few, a few dozen or a few thousand partners in various nations, are riddled with access points for motivated trespassers.

Information theft is a real and present danger, and the daily headlines chronicle how it is hitting profits, corporate and brand reputations, and cutting into markets. The rapidly mounting losses caused by these incidents is evidence that the way many companies are addressing the threat – typically with a combination of legal, IT and supply chain tools – tends to be reactive, taking place after the damage is already done.

In this new reality, companies need to take holistic, risk-based approach that recognizes information assets as one of the keys to business success. Fortunately, most companies can leverage a system that they already have in place to address other key risks. Enterprise risk management (ERM), which is widely used to anticipate and grapple with other high-level business risks, can be adapted to address threats to IP and other proprietary information.

The scope and nature of the threat is evolving and growing:
A simple email is sometimes all it takes for a malicious employee to share valuable trade secrets with competitors – assets such as product plans, the findings of expensive research or a unique manufacturing process.

A complex supply chain can open the door for counterfeit parts to enter products and result in health and safety risks to consumers. Fake products and components have been found in virtually every industry – including military equipment, automobiles, pharmaceuticals, food and toys.

A coveted new technology can be copied and immediately distributed around the world. In an increasingly common narrative, it is a departing employee who is arrested after downloading company files with proprietary information on hybrid car technology, solar panel technology, high-tech fabric for military use, and financial system code.

Meanwhile, cyber intrusions that compromise consumer data or payment information for thousands, or millions of customers are skyrocketing. These attacks have increased 66 percent year-on-year since 2009 – and have become much more costly on average, according to PwC’s recently published Global State of Information Security Survey for 2015. Globally, the annual estimated reported average financial loss attributed to cyber security incidents was $2.7 million, up 34 percent over 2013. Organizations reporting financial hits of $20 million or more in 2014 increased 92 percent in that period.

And this is just a partial picture. Some organizations choose not to report detected cyber intrusions for a variety of reasons, while many others are believed to go undetected, the report said.

Getting Out Front

The challenge for companies, as well as governments and other organizations, is to get ahead of the threat by anticipating a potential risk of information theft rather than reacting after it has become an urgent problem. In addition, they need to think beyond their traditional boundaries to be effective.

ERM is the most effective resource that companies possess for doing so. It is designed to help a company shift from dealing with negative events reactively to taking a proactive, preventative approach to the risks that it faces, and for strategically allocating resources to reduce the company’s risks internally and in its end-to-end supply chain.

The framework is widely used to take on issues such as financial stability, quality control, health and safety, environmental and labor issues. The system can be readily adapted to consider the business and compliance risks related to IP. Indeed, it is imperative that threats to these assets, which are now effectively the “crown jewels” for many companies, be considered alongside other key business risks.

The fundamental elements of ERM – though there are a couple of different models – are to systematically “identify, assess and manage” business risks.

For protecting intellectual property it is hard to overstate the importance of first step – to identify risks. This requires a full accounting of company’s intellectual property – that covered by patents, trademarks, and copyrights as well as trade secrets and sensitive data – where it is located, who has access to it.

Identifying vulnerabilities, internally and within the supply chain, is critical to addressing them. The PwC survey suggests that many companies have not done a comprehensive assessment. Just 52 percent of the respondents said they have a program to identify sensitive assets, and just 56 percent have taken the effort to inventory the collection, transmission, and storage of sensitive data for employees and customers.

The risk-management approach provides a way to rank threats by analyzing the probability of given problems – in this case, misappropriation of IP – and the severity of the damage each would cause.

That assessment in turn provides a return-on-investment basis for a risk management strategy. With respect to IP risk, it helps to focus allocation of resources for investment in IT security, and generates insights for improving IP protection processes, training employees, conducting due diligence on potential supply chain partners and creating contingency plans if sensitive information is compromised.

It is not surprising that companies have rushed to invest in cyber security over the past several years. Theft of sensitive information through cyber attacks are the misappropriation incidents that get the most press – especially those apparently launched by foreign governments.

“(I)n the battle against cybercrime most companies spend the majority of their time and resources building a fence around their internal organization – including their data, systems and personnel,” according to the Global Information Security Survey 2014 published in October by Ernst and Young. “This is a starting point, but the perimeter is no longer stable, and a fence no longer possible.”

Theft by insiders remains more common. In the PwC survey, 57 percent of respondents viewed employees as the most likely source of a cyber attack, and 32 percent said insider crimes are more costly or damaging than incidents perpetrated by outsiders.

Last year’s data breach of Target stores, compromising the credit card and personal information of millions of customers, suggests how third party relationships might prove to be a conduit for theft. That incident reportedly traces back to carelessness on the part of a vendor providing heating, air conditioning and refrigeration services for the big box store.

It is important to note that no company is immune. As larger companies put in place more effective security safeguards, threat actors are increasingly stepping up their assaults on middle-tier companies, many of which may not have security practices that match the maturity of bigger businesses.

The value of the risk management approach is that it helps companies consider the whole business ecosystem and tailor security strategy manage IP risk internally and within the supply chain, as well as guarding against attacks from afar.

It is worth emphasizing that while IT security is essential, it is just one element required to protect IP from misappropriation.

Effective protection also requires buy-in from top leadership, and the input from all business divisions. A cross-functional team is instrumental for identifying important IP and risks, and ensuring policies are in place for handling sensitive information. The policies must be translated into procedures, reinforced by communication and training of employees.

Given today’s interconnected business ecosystem, vast amounts of data is generated and shared with business partners and suppliers, so due diligence of potential business partners should be of paramount importance. And within a business network, companies should also help key partners bolster their IP protection efforts – and to the greatest extent possible, provide training for their employees.

It is without doubt a challenge to account for threats that are ever changing and traversing nations.

But the reality is that the efficiency we have gained through technology and sprawling global supply chains comes with its own weaknesses. Companies must identify their vulnerabilities and manage the risks thoughtfully, or find that their adversaries will exploit them – potentially at a much higher price.

Sunday, 23 November 2014

Gene Fredriksen,SC MagazineGene Fredriksen is the Global Information Officer at the Public Service Credit Union (PSCU)

We openly discuss and debate security technologies, but many organizations are reluctant to discuss the people-centric issue of insider threat. We are all aware of it, we inherently know the risk to our company, but yet the topic seems to be taboo in many organizations. Whatever your organization or industry, regardless of size or location, we all face the unpleasant reality that we are vulnerable to an insider attack. In an era of team-building and empowerment, most organizations are hesitant to talk about the insider threat because it means that one of our own trusted employees may steal the lifeblood of the organization. The reality is that regardless of your industry, the size of your organization or the type of business you have, the insider threat is a menacing reality. To compound the issue, job consolidation and downsizing in many organizations has resulted in a broader access to sensitive data by many of our employees. Most organizations are adept at knowing when an outsider attempts to access or steal proprietary data, but how do you sense data theft by an employee with legitimate access?

How prevalent is the issue? According to Forrester Research, insiders represented the top source of breaches over the last 12 months. Indeed, 25 percent of those participating in the study said a malicious insider was the most common way a breach occurred. Let's also acknowledge that insider attackers are likely to cause more damage than external attackers. The Open Security Foundation published data showing that while insiders were responsible for only 19.5 percent of incidents, those incidents were responsible for 66.7 percent of all exposed records.

Organizations need to do their part to deter intellectual property theft. It's time for the tough conversations. Involve all levels of management, HR and legal. Admit the susceptibility of your organization to the insider thereat and develop aggressive plans to guard your organization.

The FBI offers the following advice to get started:

Educate and regularly train employees on security or other protocols.

Ensure that proprietary information is adequately, if not robustly, protected.

Ensure security (to include computer network security) personnel have the tools they need.

Remind employees that reporting security concerns is vital to protecting your company's intellectual property, its reputation, its financial well-being, and its future. They are protecting their own jobs.

At its root, this is a people and cultural issue. We can monitor with technology, but if we hope to fully address this threat we must develop programs that will change the way people think about their obligation to protect company data. Start having the hard conversations with senior management. You will find they are just as concerned with the “elephant in the room,” but may not have known a way to discuss it without violating company culture or seeming like “big brother.”

Further, use external resources to come in and talk about the insider threat. Additionally, take the initiative to help management understand that the insider threat is a pervasive problem that must be addressed. Bring the issue into the light and focus on culture change. The benefits to your organization are very real.

Subscribe to SC MagazineEach issue gives IT Security professionals and business owners knowledge about IT security strategies, best practices, government regulations and current information security tools.

Wednesday, 19 November 2014

Hackers, notorious for stealing credit and debit-card information from stores, and other thieves are increasingly targeting medical records, which can be more valuable because they include such coveted data as Social Security numbers, birth dates, driver’s license numbers and checking-account numbers, experts say.

“There’s so much information that can be used in a variety of ways after it’s stolen,” he says, “such as opening a new checking account, filing fraudulent tax returns or getting a new consumer loan.”

Or even medical-identity hijacking, in which personal information is sold and used to get medical care. The theft can mean canceled insurance plans, damaged credit, misdiagnosed illnesses and unwarranted medical charges that can take over a year to fix.

Medical records typically sell on the black market for about $50 each, says Pascual. The thieves, often hackers from overseas, are rarely caught, and medical clinics and hospitals compound the problem by having poor record security and holding personal data for long periods.

This widespread problem of medical-record theft, which often targets children and the elderly, shows no signs of slowing.

The number of medical identity victims was up nearly 20% last year from 2012, the most recent data available, according to the Ponemon Institute, a research firm based in Traverse City, Mich. About 1.8 million Americans were victimized in 2013, at a cost of $12.3 billion.

One major factor behind the problem: the increasing digitization of medical records.

“Digitized records are much easier to steal than paper ones,” says Deborah Peel, a physician and founder of Patient Privacy Rights, a nonprofit advocacy group in Austin, Texas. “Once you needed a convoy to haul away records. Now all you need is a thumb drive.”

Digitized medical records can now also be stashed in millions of databases, she says, making them harder to correct because they’re in so many different locations if fraud does occur.

This summer, Community Health Systems , a hospital chain in 29 states, had its records hacked by a Chinese group that stole Social Security numbers and other data from 4.5 million patients, according to U.S. Department of Health and Human Services records.

Friday, 14 November 2014

If you have not yet endured an electronic patient data theft, you most likely will experience one before too long, experts warn. They say the transition to electronic health records (EHRs) has not been accompanied by adequate safeguards, and they are calling on physicians to do more to protect patient data.

“Health care systems will be seeing large-scale hacks of the type we’ve seen with retailers like Target,” said Katherine Downing, MA, the director of Health Information Management Practice Excellence at the American Health Information Management Association, in Chicago. Ms. Downing noted that the FBI recently warned health care providers about the likelihood of such cyber attacks (http://reut.rs/​1w9sZSL).

Health data are much more valuable than data from other industries because EHRs typically contain far more information, said Ms. Downing. Indeed, a single complete EHR profile can include information on health insurance, prescription drugs,come to realise financial details and Social Security numbers. That wellspring of information means a record can sell for $50 on the black market, while a Social Security number fetches only $1 (http://bit.ly/​1pS2nzz).

In Australia Police have no legislative powers to charge private health sector employees or contractors who steal patient data from their employer. In fact there is almost complete ignorance within Governments, at both State and Federal levels, to the lack of powers available to any authority to charge insiders who steal personal information.

Most business owners are not even aware of the issue and only come to realise they have no where to go, except the civil courts, after an event. The civil process is prohibitively expensive for most small businesses particularly after a data theft has robbed the business of its main source of revenue. And if there is no data specific contract, with the insider data thief, there is little to no chance of getting a favourable decision.

If your business is in the private health industry it is only a matter of time before a self entitled insider steals a patient list. To have any chance of preventing insider data theft you need very specific data, IP and indemnity clauses in your agreements. In addition your Privacy Policy with patients should be read, acknowledged and signed by all employees, sub-contractors and anybody else who has lawful access to the business (example cleaners, IT contractors etc.). An indemnity clause should also be included and acknowledged by the signatory.

Wednesday, 12 November 2014

Identity crime has become one of the most common, costly and disturbing crimes in Australia, according to federal government analysis.

The total economic impact of identity crime to the economy is estimated at more than $1.6 billion each year.

And the use of fraudulent identities continues to be a key enabler of serious, organised crime and terrorism.

In 2011-12 more Australians reported being a victim of identity crime than victims of robbery, motor vehicle theft, household break-ins or assault.

New figures in a government report released today show that each year between 750,000 to 900,000 people fall victim to identity crime resulting in financial loss.

The report compiles data and information from 54 different Commonwealth, state and territory agencies, as well as the private sector.

Key findings:

The majority of identity crime is classified as credit card fraud and most victims lose less than $1,000.

The total value of credit card fraud was being driven upwards by card-not-present fraud where a transaction is made using only the credit card details and not the physical card. In 2005-06 there were more than $13 million worth of these frauds, but in 2012-13 that had reached more than $82 million.

About 1 in 10 identity crime victims experiences mental or physical health issues requiring treatment and around one in 17 is wrongly accused of a crime.

Intelligence from the Australian Federal Police and the Department of Foreign Affairs and Trade indicate that fraudulent identity documents can be purchased on the black market for as little as $80 for a Medicare card, a few hundred dollars for a birth certificate or drivers licence and as much as $30,000 for a “genuinely” issued passport with fraudulent details.

Of the 40,000 fraud offences proven each year in Australia, around 15,000 were enabled through the use of stolen or fabricated identities. There are also about 7,000 core identity crime offences proven each year, including activities such as manufacturing fraudulent credentials and false representations.

Monday, 3 November 2014

THE chairman of the corporate regulator fired a shot across the bow of policymakers this week, describing Australia as a “paradise” for white-collar criminals due to lax penalties.

“In Australia, it’s worth breaking the law to do the trade — it’s a big problem,” Greg Medcraft told a business lunch on Tuesday. “Civil penalties for white-collar offences are just not strong enough.”
The Australian Securities and Investments Commission is the body that regulates the financial market and acts as the first line of defence in policing white-collar crimes.

Mr Medcraft, whose comments represent the latest step in a bitter dance between the financial industry and its watchdog, said consumers needed to be “extremely careful” when dealing with financial planners.
Ian Ramsay, director of the Centre for Corporate Law and Securities Regulation in Melbourne, agrees with Mr Medcraft’s comments.

He says that while ASIC has become increasingly effective in policing the market, their data on white collar crime represents the “tip of the iceberg”. “There’s a whole lot of stuff that inevitably goes undetected,” Mr Ramsay told news.com.au.

So what does white collar crime actually involve?

Professor Fiona Haines from The University of Melbourne says that regulators have long struggled with a classification scheme — by its very nature it is designed to exist in the shadows of the corporate world.
“Defining white collar crime is very difficult,” she said.

Nevertheless, here is your need-to-know guide on some of the types of white collar crime Australia must be tougher on.

Personal data was stolen from 100 million Americans this year in cyber attacks and thefts from retailers, banks, medical centres and hospitals. Many of them will become victims of identity theft.

While the financial hit to people and companies is real, the emotional impact can be "life-altering," says Terrell McSweeny, a member of the Federal Trade Commission, at a conference Wednesday.

It's essential "to remember that there is a human face on each of these ID crimes," she said, speaking at Google Inc.'s offices in Washington, D.C. The conference was organized by the Identity Theft Resource Center, an organization that collects data and provides advice to consumers and businesses on dealing with fraud.

Some victims have had their names wrongly invoked in arrest reports and court records of other people's crimes. Victims say the violation brings with it anger, anxiety, sadness, shame and even suicidal thoughts.

While theft of credit card information remains the most common type of cyber fraud, medical identity theft is growing. It can result in victims being billed for medical services and prescriptions they didn't receive, or finding another person's health information in their medical records. Consequently, they can be denied health benefits or insurance.

There hasn't been an organized effort involving doctors and hospitals to combat medical ID theft in the way the financial services industry has done, said Steve Toporoff, an attorney in the FTC's privacy and identity protection division, who also spoke at the conference.

Data Theft Au: In Australia stolen identities have been used to lodge vexatious accusations with the NSW Health Complaints Commission (HCCC) and Police against other innocent victims causing lengthy investigations and false arrests only to find the claims erroneous.

In a recent case, currently before the HCCC and Police, investigators took over 11 months to establish extremely damning vexatious claims against a doctor proved to be false. Whilst the report was made using a stolen identity and the person using the stolen identity is known, NSW Police and the HCCC have so far refused to prosecute.

In a game of political football NSW Fraud Squad claimed the HCCC had to lodge a fraud report with them and the HCCC claimed the Police had to request information from them.

Saturday, 1 November 2014

Following the windup of Roselyn Singh's company UTSG Consortium Pty Ltd by ASIC earlier in 2014, appointed liquidators, Cor Cordis attempted to contact the company's director Roselyn Singh. Singh told Cor Cordis she wasn't the Roselyn Singh they needed to speak to, it was another Roselyn Singh and she now works somewhere else.

The liquidators failed to speak to or locate any other Roselyn Singh's listed as directors of UTSG Consortium. Singh also used her middle name "Kamlashni" with another DOB to register as a director making it seven different Singh's acting as directors.

Cor Cordis finally gave up and reported to ASIC all directors refused to cooperate with the liquidators. Singh could be charged for providing ASIC with false or misleading information however an ASIC spokesperson said, in words to the effect;

"they had written to Singh and her associated company's however weren't going to do much about it".

Singh stripped UTSG Consortium of its assets, leaving not even enough for the liquidators to call a creditors meeting. Roselyn Singh and son Brendon Singh are now directors at UTSG Global Pty Ltd. Roselyn Singh's DOB and Place of Birth are listed with ASIC as 29/06/1968, SUVA, FIJI.